Skip to Main Content
  • Questions
  • TDE Encryption of local Oracle databases. KEK hosted on cloud service?



Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

Question and Answer

Connor McDonald

Thanks for the question, Olivier.

Asked: November 07, 2019 - 8:53 am UTC

Answered by: Connor McDonald - Last updated: November 11, 2019 - 2:32 am UTC

Category: Database Administration - Version: Various

Viewed 100+ times

Whilst you are here, check out some content from the AskTom team: On Connecting, Pivoting, and Learning New Things

You Asked


We want to encrypt some on-premise Oracle databases.
If possible, we would like to avoid to use a physical HSM or to contract with a third party HSM cloud provider.
Is this possible to store the KEK's in GCP or Azure, and to interface our local databases with it?
I don't need technical details yet, just information on the possibilities.



and we said...

This is from the TDE FAQ hosted here:

Can TDE store its master encryption key in an external device using the PKSC11 interface?

Starting in Oracle Database 11g Release 2, customers of Oracle Advanced Security Transparent Data Encryption (TDE) optionally may store the TDE master encryption key in an external device using the PKCS11 interface. In this setup, the master key is stored directly in the third-party device rather than in the included Oracle Wallet (note: the Oracle Wallet is a PKCS12 file-based keystore which is used by most TDE customers).

When using PKCS11, the third-party vendor provides the storage device, PKCS11 software client library, secure communication from the device to the PKCS11 client (running on the database server), authentication, auditing, and other related functionality. The vendor also is responsible for testing and ensuring high-availability of the TDE master encryption key in diverse database server environments and configurations. Customers should contact the device vendor to receive assistance for any related issues.

So as long as your provider supports that, it should be possible.

More to Explore


Need more information on Administration? Check out the Administrators guide for the Oracle Database